Posted on

Authentication With Remote LDAP Server in Spring WebFlux

In my previous article, we covered authentication and authorization with remote LDAP servers in Spring Web MVC. Since base concepts are the same, some sections are unavoidably the same in these two articles and they are kept in both articles in order to create a seamless reading experience for WebFlux and MVC learners. 

In this article, we will develop a reactive Spring Boot project and integrate into remote LDAP through Spring Security. In addition, we will perform authentication (auth) and authorization (autz) operations over JWT (JSON Web Token) for the APIs we will open. 

Posted on

CVE-2021-44228: Log4j2 Exploitability and Attack Path Mitigation

Quick Overview

The gravest cyber threat of modern times is upon us in the form of CVE-2021-44228. Here are some key resources:

How to Protect Your Organization: Measure Your Exposure and Enumerate Attack Paths

In order to quickly find and prioritize how at risk you are of a Log4j 2 exploit, you can focus on enumerating the virtual machines and pods which are directly and indirectly exposed to the internet. We used ThreatMapper to detect our own exposure caused by Elasticsearch (which has since been fixed) as follows. Dogfooding much!

Posted on

Authentication With Remote LDAP Server in Spring Web MVC

There are plenty of articles, videos, and courses about this topic, but nearly all of them use embedded LDAP as a source for user information. In this article, we will develop a Spring Boot project and integrate to remote LDAP through Spring Security. In addition, we will perform authentication (auth) and authorization (autz) operations over JWT (JSON Web Token) for the APIs we will open. 

In a business scenario, our application serves as a user portal service that authenticates and authorizes users against specific APIs with their LDAP authorities. First, let's talk about the terms we will use.

Posted on

How to Use Chef and Account Automation With Okta

Heads up: This blog belongs to our integrating Okta with popular infrastructure series. If you aren't into Chef, there are alternatives such as our Ansible, Puppet, and Terraform tutorials.

If you need to manage infrastructure at scale, Chef cookbooks are for you. However, like other configuration management tools, Chef is best when cookbooks don’t change a lot. You can accomplish this using typical server setup and configuration tasks, such as installing Nginx and tweak conf file. Once your server gets more traffic, it can become more difficult to manage the server and accounts. As people leave or join your ops team and you need to rotate server keys things can get tricky. 

Posted on

Using Pluggable HumanTask Assignment Strategy in jBPM 7

jBPM 7 release provides logic to find the best suitable user to assign the task. Multiple assignment strategies are supported in this release,

  • Potential owner busyness strategy (default)
  • Business Rules Strategy
  • RoundRobin Strategy

1. Potential Owner Busyness Strategy:

This strategy makes sure that the least loaded user from the potential owner list will be selected as task owner. To make this strategy work effectively we need to provide groups of the users.It can be done by using UserInfo configured in the environment. To load user group details we can use org.jbpm.ht.userinfo option while server startup. We can load user and group mapping from DB or from LDAP. We can load user group details from the file as well.We have to create a file with a name jbpm.user.info.properties in the application classpath.

Posted on

Open Policy Agent, Part II – Developing Policies

In the previous part of the series, we explored Open Policy Agent and implemented an ACL-based access control for our application. In this entry, I am going to share with you some of the discoveries that I made while evaluating Open Policy Agent in regards to policy design and development.

Policy Design

After evaluating policy rules, OPA returns a result of the policy decision to your application. This result is a JSON structure. Based on your requirements, this JSON structure can contain a single member holding a true or false (authorized/not authorized) value. However, you can create policies whose evaluation results in an arbitrarily complex JSON document. For example, OPA can return a list of nodes on which Kubernetes should schedule a workload.

Posted on

Spring Data-LDAP: Part 2

Now, since we have plugged in the LDAP information, it is time to stitch it with Spring Security. The easiest thing to do is:

@Configuration
@EnableWebSecurity(debug = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    private static final Logger logger = LoggerFactory.getLogger(WebSecurityConfig.class);


    @Autowired
    private LdapContextSource ldapContextSource;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.httpBasic().and().authorizeRequests().antMatchers("/users","/").permitAll()
                .anyRequest().authenticated().and().csrf().disable();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.ldapAuthentication().contextSource(ldapContextSource)
                .userSearchBase("ou=users")
                .groupSearchBase("ou=groups")
                .groupSearchFilter("member={0}")
                .userDnPatterns("ou=users,dc=example,dc=com")
                .userSearchFilter("uid={0}");
    }
}